package com.floragunn.searchguard.enterprise.dlsfls.legacy.filter;

import com.floragunn.searchguard.authz.DocumentWhitelist;
import com.floragunn.searchguard.authz.SyncAuthorizationFilter;
import com.floragunn.searchguard.authz.actions.ActionRequestIntrospector;
import com.floragunn.searchguard.enterprise.dlsfls.legacy.DlsQueryParser;
import com.floragunn.searchguard.enterprise.dlsfls.legacy.EvaluatedDlsFlsConfig;
import com.floragunn.searchguard.queries.QueryBuilderTraverser;
import com.floragunn.searchguard.support.SgUtils;
import com.floragunn.searchsupport.reflection.ReflectiveAttributeAccessors;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import java.util.function.Function;
import java.util.stream.Collectors;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.ElasticsearchSecurityException;
import org.elasticsearch.action.ActionListener;
import org.elasticsearch.action.ActionRequest;
import org.elasticsearch.action.admin.cluster.shards.ClusterSearchShardsRequest;
import org.elasticsearch.action.get.GetRequest;
import org.elasticsearch.action.get.GetResponse;
import org.elasticsearch.action.get.MultiGetItemResponse;
import org.elasticsearch.action.get.MultiGetRequest;
import org.elasticsearch.action.get.MultiGetResponse;
import org.elasticsearch.action.search.MultiSearchRequest;
import org.elasticsearch.action.search.SearchRequest;
import org.elasticsearch.action.search.SearchResponse;
import org.elasticsearch.client.Client;
import org.elasticsearch.cluster.metadata.IndexMetadata;
import org.elasticsearch.cluster.metadata.IndexNameExpressionResolver;
import org.elasticsearch.cluster.service.ClusterService;
import org.elasticsearch.common.bytes.BytesReference;
import org.elasticsearch.common.document.DocumentField;
import org.elasticsearch.common.util.concurrent.ThreadContext;
import org.elasticsearch.index.IndexService;
import org.elasticsearch.index.get.GetResult;
import org.elasticsearch.index.mapper.MapperService;
import org.elasticsearch.index.query.BoolQueryBuilder;
import org.elasticsearch.index.query.QueryBuilder;
import org.elasticsearch.index.query.QueryBuilders;
import org.elasticsearch.index.query.TermsQueryBuilder;
import org.elasticsearch.indices.IndicesService;
import org.elasticsearch.search.SearchHit;
import org.elasticsearch.search.builder.SearchSourceBuilder;

/* loaded from: input_file:com/floragunn/searchguard/enterprise/dlsfls/legacy/filter/DlsFilterLevelActionHandler.class */
public class DlsFilterLevelActionHandler {
    private static final Logger log = LogManager.getLogger(DlsFilterLevelActionHandler.class);
    private static final Function<SearchRequest, String> LOCAL_CLUSTER_ALIAS_GETTER = ReflectiveAttributeAccessors.protectedObjectAttr("localClusterAlias", String.class);
    private final String action;
    private final ActionRequest request;
    private final ActionListener<?> listener;
    private final EvaluatedDlsFlsConfig evaluatedDlsFlsConfig;
    private final ActionRequestIntrospector.ResolvedIndices resolved;
    private final boolean requiresIndexScoping;
    private final Client nodeClient;
    private final DlsQueryParser dlsQueryParser;
    private final ClusterService clusterService;
    private final IndicesService indicesService;
    private final ThreadContext threadContext;
    private BoolQueryBuilder filterLevelQueryBuilder;
    private DocumentWhitelist documentWhitelist;

    public static SyncAuthorizationFilter.Result handle(String str, ActionRequest actionRequest, ActionListener<?> actionListener, EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, ActionRequestIntrospector.ResolvedIndices resolvedIndices, Client client, ClusterService clusterService, IndicesService indicesService, IndexNameExpressionResolver indexNameExpressionResolver, DlsQueryParser dlsQueryParser, ThreadContext threadContext) {
        return threadContext.getHeader("_sg_filter_level_dls_done") != null ? SyncAuthorizationFilter.Result.OK : (str.startsWith("searchguard:cluster:") || str.startsWith("cluster:") || str.startsWith("indices:admin/template/") || str.startsWith("indices:admin/index_template/")) ? SyncAuthorizationFilter.Result.OK : str.startsWith("indices:data/read/scroll") ? SyncAuthorizationFilter.Result.OK : (str.equals("indices:data/read/search/template") || str.equals("indices:data/read/msearch/template")) ? SyncAuthorizationFilter.Result.OK : actionRequest instanceof MultiSearchRequest ? SyncAuthorizationFilter.Result.OK : new DlsFilterLevelActionHandler(str, actionRequest, actionListener, evaluatedDlsFlsConfig, resolvedIndices, client, clusterService, indicesService, indexNameExpressionResolver, dlsQueryParser, threadContext).handle();
    }

    DlsFilterLevelActionHandler(String str, ActionRequest actionRequest, ActionListener<?> actionListener, EvaluatedDlsFlsConfig evaluatedDlsFlsConfig, ActionRequestIntrospector.ResolvedIndices resolvedIndices, Client client, ClusterService clusterService, IndicesService indicesService, IndexNameExpressionResolver indexNameExpressionResolver, DlsQueryParser dlsQueryParser, ThreadContext threadContext) {
        this.action = str;
        this.request = actionRequest;
        this.listener = actionListener;
        this.evaluatedDlsFlsConfig = evaluatedDlsFlsConfig;
        this.resolved = resolvedIndices;
        this.nodeClient = client;
        this.clusterService = clusterService;
        this.indicesService = indicesService;
        this.dlsQueryParser = dlsQueryParser;
        this.threadContext = threadContext;
        this.requiresIndexScoping = resolvedIndices.isLocalAll() || resolvedIndices.getLocalAndRemoteIndices().size() != 1;
    }

    private SyncAuthorizationFilter.Result handle() {
        ThreadContext.StoredContext newStoredContext = this.threadContext.newStoredContext(true);
        try {
            this.threadContext.putHeader("_sg_filter_level_dls_done", this.request.toString());
            try {
                if (!createQueryExtension()) {
                    SyncAuthorizationFilter.Result result = SyncAuthorizationFilter.Result.OK;
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return result;
                }
                if (log.isDebugEnabled()) {
                    log.debug("Created filterLevelQuery for " + this.request + ":\n" + this.filterLevelQueryBuilder);
                }
                if (this.filterLevelQueryBuilder == null) {
                    SyncAuthorizationFilter.Result result2 = SyncAuthorizationFilter.Result.OK;
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return result2;
                }
                if (this.request instanceof SearchRequest) {
                    SyncAuthorizationFilter.Result handle = handle((SearchRequest) this.request, newStoredContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return handle;
                }
                if (this.request instanceof GetRequest) {
                    SyncAuthorizationFilter.Result handle2 = handle((GetRequest) this.request, newStoredContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return handle2;
                }
                if (this.request instanceof MultiGetRequest) {
                    SyncAuthorizationFilter.Result handle3 = handle((MultiGetRequest) this.request, newStoredContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return handle3;
                }
                if (this.request instanceof ClusterSearchShardsRequest) {
                    SyncAuthorizationFilter.Result handle4 = handle((ClusterSearchShardsRequest) this.request, newStoredContext);
                    if (newStoredContext != null) {
                        newStoredContext.close();
                    }
                    return handle4;
                }
                log.error("Unsupported request type for filter level DLS: " + this.request);
                SyncAuthorizationFilter.Result reason = SyncAuthorizationFilter.Result.DENIED.reason("Unsupported request type for filter level DLS: " + this.action + "; " + this.request.getClass().getName());
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
                return reason;
            } catch (Exception e) {
                log.error("Unable to handle filter level DLS", e);
                SyncAuthorizationFilter.Result cause = SyncAuthorizationFilter.Result.DENIED.cause(e);
                if (newStoredContext != null) {
                    newStoredContext.close();
                }
                return cause;
            }
        } catch (Throwable th) {
            if (newStoredContext != null) {
                try {
                    newStoredContext.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private SyncAuthorizationFilter.Result handle(SearchRequest searchRequest, final ThreadContext.StoredContext storedContext) {
        if (this.documentWhitelist != null) {
            this.documentWhitelist.applyTo(this.threadContext);
        }
        String apply = LOCAL_CLUSTER_ALIAS_GETTER.apply(searchRequest);
        if (apply != null) {
            try {
                createQueryExtension(apply);
            } catch (Exception e) {
                log.error("Unable to handle filter level DLS", e);
                this.listener.onFailure(new ElasticsearchSecurityException("Unable to handle filter level DLS", e, new Object[0]));
                return SyncAuthorizationFilter.Result.INTERCEPTED;
            }
        }
        if (searchRequest.source().query() != null) {
            this.filterLevelQueryBuilder.must(searchRequest.source().query());
        }
        searchRequest.source().query(this.filterLevelQueryBuilder);
        this.nodeClient.search(searchRequest, new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.legacy.filter.DlsFilterLevelActionHandler.1
            public void onResponse(SearchResponse searchResponse) {
                try {
                    storedContext.restore();
                    DlsFilterLevelActionHandler.this.listener.onResponse(searchResponse);
                } catch (Exception e2) {
                    DlsFilterLevelActionHandler.this.listener.onFailure(e2);
                }
            }

            public void onFailure(Exception exc) {
                DlsFilterLevelActionHandler.this.listener.onFailure(exc);
            }
        });
        return SyncAuthorizationFilter.Result.INTERCEPTED;
    }

    private SyncAuthorizationFilter.Result handle(final GetRequest getRequest, final ThreadContext.StoredContext storedContext) {
        if (this.documentWhitelist != null) {
            this.documentWhitelist.applyTo(this.threadContext);
        }
        final SearchRequest searchRequest = new SearchRequest(getRequest.indices());
        searchRequest.source(SearchSourceBuilder.searchSource().query(QueryBuilders.boolQuery().must(QueryBuilders.idsQuery().addIds(new String[]{getRequest.id()})).must(this.filterLevelQueryBuilder)));
        this.nodeClient.search(searchRequest, new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.legacy.filter.DlsFilterLevelActionHandler.2
            public void onResponse(SearchResponse searchResponse) {
                try {
                    storedContext.restore();
                    long j = searchResponse.getHits().getTotalHits().value;
                    ActionListener actionListener = DlsFilterLevelActionHandler.this.listener;
                    if (j == 1) {
                        actionListener.onResponse(new GetResponse(DlsFilterLevelActionHandler.this.searchHitToGetResult(searchResponse.getHits().getAt(0))));
                    } else if (j == 0) {
                        actionListener.onResponse(new GetResponse(new GetResult(searchRequest.indices()[0], "_doc", getRequest.id(), -2L, 0L, -1L, false, (BytesReference) null, (Map) null, (Map) null)));
                    } else {
                        DlsFilterLevelActionHandler.log.error("Unexpected hit count " + j + " in " + searchResponse);
                        DlsFilterLevelActionHandler.this.listener.onFailure(new ElasticsearchSecurityException("Internal error when performing DLS", new Object[0]));
                    }
                } catch (Exception e) {
                    DlsFilterLevelActionHandler.this.listener.onFailure(e);
                }
            }

            public void onFailure(Exception exc) {
                DlsFilterLevelActionHandler.this.listener.onFailure(exc);
            }
        });
        return SyncAuthorizationFilter.Result.INTERCEPTED;
    }

    private SyncAuthorizationFilter.Result handle(MultiGetRequest multiGetRequest, final ThreadContext.StoredContext storedContext) {
        BoolQueryBuilder must;
        if (this.documentWhitelist != null) {
            this.documentWhitelist.applyTo(this.threadContext);
        }
        Map map = (Map) multiGetRequest.getItems().stream().collect(Collectors.groupingBy(item -> {
            return item.index();
        }, Collectors.mapping(item2 -> {
            return item2.id();
        }, Collectors.toSet())));
        Set keySet = map.keySet();
        SearchRequest searchRequest = new SearchRequest((String[]) keySet.toArray(new String[keySet.size()]));
        if (keySet.size() == 1) {
            Set set = (Set) map.get(keySet.iterator().next());
            must = QueryBuilders.boolQuery().must(QueryBuilders.idsQuery().addIds((String[]) set.toArray(new String[set.size()]))).must(this.filterLevelQueryBuilder);
        } else {
            BoolQueryBuilder minimumShouldMatch = QueryBuilders.boolQuery().minimumShouldMatch(1);
            for (Map.Entry entry : map.entrySet()) {
                minimumShouldMatch.should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("_index", (String) entry.getKey())).must(QueryBuilders.idsQuery().addIds((String[]) ((Set) entry.getValue()).toArray(new String[((Set) entry.getValue()).size()]))));
            }
            must = QueryBuilders.boolQuery().must(minimumShouldMatch).must(this.filterLevelQueryBuilder);
        }
        searchRequest.source(SearchSourceBuilder.searchSource().query(must));
        this.nodeClient.search(searchRequest, new ActionListener<SearchResponse>() { // from class: com.floragunn.searchguard.enterprise.dlsfls.legacy.filter.DlsFilterLevelActionHandler.3
            public void onResponse(SearchResponse searchResponse) {
                try {
                    storedContext.restore();
                    ArrayList arrayList = new ArrayList(searchResponse.getHits().getHits().length);
                    for (SearchHit searchHit : searchResponse.getHits().getHits()) {
                        arrayList.add(new MultiGetItemResponse(new GetResponse(DlsFilterLevelActionHandler.this.searchHitToGetResult(searchHit)), (MultiGetResponse.Failure) null));
                    }
                    DlsFilterLevelActionHandler.this.listener.onResponse(new MultiGetResponse((MultiGetItemResponse[]) arrayList.toArray(new MultiGetItemResponse[arrayList.size()])));
                } catch (Exception e) {
                    DlsFilterLevelActionHandler.this.listener.onFailure(e);
                }
            }

            public void onFailure(Exception exc) {
                DlsFilterLevelActionHandler.this.listener.onFailure(exc);
            }
        });
        return SyncAuthorizationFilter.Result.INTERCEPTED;
    }

    private SyncAuthorizationFilter.Result handle(ClusterSearchShardsRequest clusterSearchShardsRequest, ThreadContext.StoredContext storedContext) {
        this.listener.onFailure(new ElasticsearchSecurityException("Filter-level DLS via cross cluster search is not available for scrolling and minimize_roundtrips=true", new Object[0]));
        return SyncAuthorizationFilter.Result.INTERCEPTED;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public GetResult searchHitToGetResult(SearchHit searchHit) {
        Map map;
        Map emptyMap;
        if (log.isDebugEnabled()) {
            log.debug("Converting to GetResult:\n" + searchHit);
        }
        Map fields = searchHit.getFields();
        if (fields.isEmpty()) {
            map = Collections.emptyMap();
            emptyMap = Collections.emptyMap();
        } else {
            IndexMetadata indexMetadata = (IndexMetadata) this.clusterService.state().getMetadata().indices().get(searchHit.getIndex());
            IndexService indexService = indexMetadata != null ? this.indicesService.indexService(indexMetadata.getIndex()) : null;
            if (indexService != null) {
                map = new HashMap(fields.size());
                emptyMap = new HashMap();
                MapperService mapperService = indexService.mapperService();
                for (Map.Entry entry : fields.entrySet()) {
                    if (mapperService.isMetadataField((String) entry.getKey())) {
                        emptyMap.put((String) entry.getKey(), (DocumentField) entry.getValue());
                    } else {
                        map.put((String) entry.getKey(), (DocumentField) entry.getValue());
                    }
                }
                if (log.isDebugEnabled()) {
                    log.debug("Partitioned fields: " + emptyMap + "; " + map);
                }
            } else {
                if (log.isWarnEnabled()) {
                    log.warn("Could not find IndexService for " + searchHit.getIndex() + "; assuming all fields as document fields.This should not happen, however this should also not pose a big problem as ES mixes the fields again anyway.\nIndexMetadata: " + indexMetadata);
                }
                map = fields;
                emptyMap = Collections.emptyMap();
            }
        }
        return new GetResult(searchHit.getIndex(), searchHit.getType(), searchHit.getId(), searchHit.getSeqNo(), searchHit.getPrimaryTerm(), searchHit.getVersion(), true, searchHit.getSourceRef(), map, emptyMap);
    }

    private boolean createQueryExtension() throws IOException {
        return createQueryExtension(null);
    }

    private boolean createQueryExtension(String str) throws IOException {
        Map<String, Set<String>> dlsQueriesByIndex = this.evaluatedDlsFlsConfig.getDlsQueriesByIndex();
        BoolQueryBuilder minimumShouldMatch = QueryBuilders.boolQuery().minimumShouldMatch(1);
        DocumentWhitelist documentWhitelist = new DocumentWhitelist();
        int i = 0;
        for (String str2 : this.resolved.getLocalAndRemoteIndices()) {
            String evalMap = SgUtils.evalMap(dlsQueriesByIndex, str2);
            String str3 = str != null ? str + ":" + str2 : str2;
            if (evalMap != null) {
                Set<String> set = dlsQueriesByIndex.get(evalMap);
                if (set != null && !set.isEmpty()) {
                    Iterator<String> it = set.iterator();
                    while (it.hasNext()) {
                        i++;
                        QueryBuilder parse = this.dlsQueryParser.parse(it.next());
                        if (this.requiresIndexScoping) {
                            minimumShouldMatch.should(QueryBuilders.boolQuery().must(QueryBuilders.termQuery("_index", str3)).must(parse));
                        } else {
                            minimumShouldMatch.should(parse);
                        }
                        for (TermsQueryBuilder termsQueryBuilder : QueryBuilderTraverser.findAll(parse, queryBuilder -> {
                            return (queryBuilder instanceof TermsQueryBuilder) && ((TermsQueryBuilder) queryBuilder).termsLookup() != null;
                        })) {
                            documentWhitelist.add(termsQueryBuilder.termsLookup().index(), termsQueryBuilder.termsLookup().id());
                        }
                    }
                } else if (this.requiresIndexScoping) {
                    minimumShouldMatch.should(QueryBuilders.termQuery("_index", str3));
                }
            } else if (this.requiresIndexScoping) {
                minimumShouldMatch.should(QueryBuilders.termQuery("_index", str3));
            }
        }
        if (i == 0) {
            return false;
        }
        this.filterLevelQueryBuilder = minimumShouldMatch;
        this.documentWhitelist = documentWhitelist;
        return true;
    }
}
